TECHNOLOGY

Dissecting Phish

by John Doan
July 15, 2005

If you own an email account, you most likely have been phished. Or someone at least tried to phish information from you. What is phishing? It is a term used to describe a practice by which cyber-thieves steal your personal information and ultimately your money. Here is how the scam works. 1) You receive an email that claims it is from your bank or credit card company. The message usually involves suspicious activity noted on your account, cancellation of your account, or the account being placed on hold. 2) The message will always contain a link that points you to the website where you can log on and rectify the situation. The link that you see in the email is not usually where the actual hyperlink takes you. 3) They will ask you for personal information like User ID, PIN, Credit/Debit Card number, social security number, etc.

Hopefully that gave you enough information to remember the time you received your last phishing email. If not, you won't need to wait long to receive another one. Understanding and recognizing Phishes are the best way to prevent from being a victim.

Legal Disclaimer: The following is an opinion and/or advice based upon professional experience and is not and should not be implied as a guarantee against disclosure of personal information or monetary loss.

That being said, let's take a closer look at what comprises a Phish.

We've set up a "dummy" phish page here, www.halfsquare.net/anybank/fraud.html, to illustrate what a phish site might look like. This page is for educational purposes only.

This example is typical of a phishing link. The "www.halfsquare.net" is referred to as the domain. The "anybank" portion is a directory to "fraud.html" which is the actual page content. Typically the "anybank" directory will be the name of the bank or credit card company that the email is spoofing. Because users are getting smarter and more suspicious about links they receive in emails, phishers may use a websites registered IP address in order to further disguise the spoofed site. The example below is how a phisher may disguise the website listed above. [For more information on this topic, research Master DNS or Domain Naming Service]

http://www.halfsquare.net/anybank/fraud.html is the registered IP address for the phishing site given above. Type in http://www.halfsquare.net and you will find yourself on the Halfsquare homepage. Still with me? Good.

Phishing sites can be published in one of two ways. The first way is to buy a domain name that is very similar to the victim site. For example, www.halfsquarebank.net may fool many people into thinking it is related to www.halfsquare.net. The second type of Phishing site is created by hi-jacking legitimate computer systems or websites. Typically these are legitimate sites that are unknowingly hosting a fraudulent site. For example, www.google.com/anybank/fraud.html (Note: Google has not to our knowledge ever been involved in a phishing incident, it is used here simply as a recognizable domain)

Knowing the type of Phish is really irrelevant to the user unless you have a Superman complex and care to save the day. You may contact the Internet Service Provider hosting a Phishing site if it domain based or you may contact the site administrator of the legitimate site if you notice it as a hi-jacked system. Either way, you should forward the email to the respective fraud contact for the bank, credit card company, or any other company being phished. Let me repeat you should FORWARD, the email you received to the phished company. This gives an investigative team the ability track the Phish and hopefully disable quickly.

Here is a summary of things you can review to determine whether the site you are looking at is real or a Phish.

> Is the domain registered to the actual company it claims to be? (You can use www.samspade.org to research the domain owner)

phish1
phish2

> Legitimate companies would never link to a site that uses an IP address as opposed to a domain name. (i.e. http://www.halfsquare.net)

> Legitimate companies conduct business over secured websites. Look for "https:" in the address bar or the "Padlock" in the lower right hand corner if you are using Internet Explorer.

phish3

Some of the things you can do to prevent from being a victim are:

> Never access banking or other financial websites from a link provided through email. It is always best to type the URL into the address bar manually.

> Make all changes to personal information directly with your banking and financial companies via telephone or in-office if there is a local branch. Most companies allow you to modify personal information through their secured webpage but direct contact may give you peace-of-mind.

> Discuss this with your spouse or significant other so they don't unknowingly provide the information when they happen across one of your emails that states your account has been compromised!

> If you think you may have provided information to a Phish, notify your banking or financial institution immediately. It could be as short as an hour before your account is drained via ATM in a foreign country.

Here are some additional resources to learn more about phishing and more importantly to prevent from being a victim.

http://www.antiphishing.org - an organization dedicated to Phishing and consumer awareness. Contains archives of recent known Phishes.

http://toolbar.netcraft.com - a nifty toolbar you can add to Internet Explorer that alerts you if/when you visit a known Phishing site.

Read more articles from John Doan
TECHNOLOGY - Unplugged

JOIN OUR MAILING LIST

Enter your email address below and we'll let you know when new content is added!